Beruflich Dokumente
Kultur Dokumente
Everyone is familiar with the Owasp Top 10. Below, you will nd some notes on the
Top 10, as well as ways to mitigate these potential threats to your environment. You
can also download the PDF format by clicking the blankie >
This is the rst in a series that will cover the attack vectors and how to apply the
protection methods.
Injection Injection aws, such as SQL, OS, and BIG-IP ASM inspects application trafc and
LDAP injection, occur when untrusted blocks the insertion of malicious scripts. It
data is sent to an interpreter as part of a does so by enforcing injection attack
command or query. The attackers hostilepatterns, enforcing an accurate usage of
data can trick the interpreter into metacharacters within the URI and parameter
A1 executing unintended commands or names.
accessing unauthorized data.
ASM also looks at parameter values and can
enforce pre-dened allowed values, length
and accurate usage of metacharacters.
A2 Cross-Site XSS aws occur whenever an application BIG-IP ASM protects against Cross-Site
Scripting (XSS) takes untrusted data and sends it to a Scripting attacks by enforcing XSS attack
web browser without proper validation patterns, enforcing an accurate usage of
and escaping. XSS allows attackers to metacharacters within the URI and parameter
execute scripts in the victims browser names. ASM also looks at parameter values
which can hijack user sessions, deface and can enforce pre-dened allowed values,
web sites, or redirect the user to length and accurate usage of
malicious sites. metacharacters.
A3
Using SSL on the login page
Insecure Direct A direct object reference occurs when a BIG-IP ASM mitigates this vulnerability by
Object developer exposes a reference to an enforcing dynamic parameters (making sure
References internal implementation object, such as a values that were set by the server will not be
le, directory,or database key. Without an changed on the client side). Also the admin.
access control check or other protection, can whitelist the allowed URLs for the
attackers can manipulate these specic application and scan the requests
references to access unauthorized data. with attack patterns.
Session highjacking
Cross-Site A CSRF attack forces a logged-on BIG-IP ASM mitigates CSRF attacks by
Request Forgeryvictims browser to send a forged HTTP adding a random nonce to every URL. This
(CSRF) request, including the victims session nonce cannot be guessed in advance by an
cookie and any other automatically attacker and therefore makes the attack
included authentication information, to a almost impossible. In addition, ASM is
vulnerable web application. This allows preventing XSS within an application and
the attacker to force the victims browser enforcing the application ow and dynamic
to generate requests the vulnerable parameter values.
application thinks are legitimate requests
from the victim. With ow access, a session timeout can
A5
be combined with an F5 iRule designed to
note referrer header check to minimize CSRF.
For instance, ow enforcement mitigates
CSRF by limiting the entry points or web
pages of attacks along with session timeouts
being short. If referring to say
www.food.com, ASM checks the referrer
header in the URL to make sure its
food.com.
Security Good security requires having a secure BIG-IP ASM can mitigate attacks that are
Miscongurationconguration dened and deployed for related to misconguration by using a broad
the application, frameworks, application range of controls starting with:
server, web server, database server, and RFC enforcement
platform. All these settings should be Enforcing various limits on the
dened, implemented, and maintained as requests
Miscongurationconguration dened and deployed for related to misconguration by using a broad
the application, frameworks, application range of controls starting with:
server, web server, database server, and RFC enforcement
platform. All these settings should be Enforcing various limits on the
dened, implemented, and maintained as requests
A6
many are not shipped with secure Whitelisting the URLs and
defaults. This includes keeping all parameters names and values
software up to Enforcing a login page
date, including all code libraries used by Being a native full reverse proxy
the application.
Insecure Many web applications do not properly While this isnt directly related to BIG-IP ASM
Cryptographic protect sensitive data, such as credit or WAF, OWASP is mostly concerned with
Storage cards, SSNs, and authentication what type of encryption is used and how it is
credentials, with appropriate encryption used. These are both outside of the
or hashing. Attackers may steal or modify enforcement purview of ASM; however, ASM
such weakly protected data to conduct delivers the following:
identity theft, credit card fraud, or other Data Guard - if someone managed to
crimes. cause an information leakage, Data
A7 Guard can block it
Failure to Many web applications check URL There are multiple ways that BIG-IP ASM can
Restrict URL access rights before rendering protected mitigate this issue. , ASM enforces allowed
Access links and buttons. However, applications le types and URLs, and accurate parameter
need to perform similar access control values and login pages.
checks each time these pages are
accessed, or attackers will be able to BIG-IP ASMs ow technology ensures that
A8 forge URLs to access these hidden site content is only accessed by users that
pages anyway. have acquired the proper credentials or
visited the prerequisite pages. Users can only
visit personal web pages if they have come
from the say a user ID and password sign on
web page.
Unvalidated Web applications frequently redirect and BIG-IP ASM mitigates this issue by enforcing
Redirects and forward users to other pages and unique attack patterns, enforcing accurate
Forwards websites, and use untrusted data to values of parameters and enforcing dynamic
determine the destination pages. Withoutparameters.
A10
proper validation, attackers can redirect
victims to phishing or malware sites, or
use forwards to access unauthorized
pages.
F5 Networks, Inc. | 401 Elliot Avenue West, Seattle, WA 98119 | 888-882-4447 | f5.com
F5 Networks, Inc. F5 Networks F5 Networks Ltd. F5 Networks
Corporate Headquarters Asia-Pacific Europe/Middle-East/Africa Japan K.K.
info@f5.com apacinfo@f5.com emeainfo@f5.com f5j-info@f5.com
2017 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5
trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no
endorsement or affiliation, express or implied, claimed by F5. CS04-00015 0113